b'Transmittal of FY 2011 Assessment of EEOC\xc2\x92s Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA)\nSkip top navigation\nSkip to content\nEspa\xc3\xb1ol | Other Languages\nU.S. Equal EmploymentOpportunity Commission\nHome\nAbout EEOC\nOverview\nThe Commission\nMeetings of the Commission\nOpen Government\nNewsroom\nLaws, Regulations, Guidance & MOUs\nBudget & Performance\nEnforcement & Litigation\nInitiatives\nInteragency Programs\nPublications\nStatistics\nOutreach & Education\nLegislative Affairs\nFOIA & Privacy Act\nDoing Business with EEOC\nJobs & Internships\nEEOC History\nOffice of Inspector General\nEmployees & Applicants\nOverview\nCoverage\nTimeliness\nFiling A Charge\nHow to File\nCharge Handling\nConfidentiality\nMediation\nRemedies\nExisting Charges\nFiling a Lawsuit\nDiscrimination by Type\nAge\nDisability\nEqual Compensation\nGenetic Information\nHarassment\nNational Origin\nPregnancy\nRace/Color\nReligion\nRetaliation\nSex\nSexual Harassment\nProhibited Practices\nEmployers\nOverview\nCoverage\nCharge Handling\nResolving a Charge\nRemedies\nDiscrimination by Type\nAge\nDisability\nEqual Compensation\nGenetic Information\nHarassment\nNational Origin\nPregnancy\nRace/Color\nReligion\nRetaliation\nSex\nSexual Harassment\nProhibited Practices\nRecordkeeping\nEEO Reports/Surveys\n"EEO Is The Law" Poster\nTraining\nOther Employment Issues\nFederal Agencies\nOverview\nFederal Employees & Applicants\nFederal Complaint Process\nDiscrimination by Type\nOther Federal Protections\nProhibited Practices\nFederal EEO Coordination\nFederal Agency EEO Directors\nLaws, Regulations, Guidance & MOUs\nManagement Directives & Federal Sector Guidance\nFederal Sector Alternative Dispute Resolution\nFederal Sector Reports\nAppellate Decisions\nDigest of EEO Law\nForm 462 Reporting\nFederal Training & Outreach\nContact Us\nContact EEOC\nFind Your Nearest Office\nFrequently Asked Questions\nAbout EEOC\nOverview\nThe Commission\nMeetings of the Commission\nOpen Government\nNewsroom\nLaws, Regulations, Guidance & MOUs\nBudget & Performance\nEnforcement & Litigation\nInitiatives\nInteragency Programs\nPublications\nStatistics\nOutreach & Education\nLegislative Affairs\nFOIA & Privacy Act\nDoing Business with EEOC\nJobs & Internships\nEEOC History\nOffice of Inspector General\nHome\xc2\xa0>\xc2\xa0About EEOC\xc2\xa0>\xc2\xa0Office of Inspector General\nNovember 17, 2011\nMEMORANDUM\nTO:\nKimberly Hancher, Director\nOffice of Information Technology\nFROM:\nMilton A. Mayo, Jr\nInspector General\nSUBJECT:\nTransmittal of FY 2011 Assessment of EEOC\'s Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA) (OIG Report No. 2011-05-FISMA)\nThe Office of Inspector General contracted with the Certified Public Accounting firm Clifton Gunderson LLP to conduct an independent evaluation of EEOC\'s information security program and practices as required by the FISMA, and to comply with the\nOffice of Management and Budget\'s (OMB) reporting requirements for Inspectors General.\nAttached is the FY 2011 Assessment of EEOC\'s Compliance with Provisions of the Federal Information Security Management Act of 2002 (FISMA) report prepared by Clifton Gunderson (CG). CG notes in its report that the EEOC has made positive strides\nover the last year in addressing information security weaknesses, however improvements are needed in the following areas: Access Control/ Identification and Authentication, Contingency Planning, Configuration Management, and Account and Identity\nManagement. EEOC management was given the opportunity to review the draft report and to provide comments. Management comments are included in the report. Also, the status of prior year FISMA findings is included as Appendix A of the report.\nThe Office of Management and Budget issued Circular Number A-50, Audit Follow Up, to ensure that corrective action on audit findings and recommendations proceed as rapidly as possible. EEOC Order 192.002, Audit Follow up Program, implements\nCircular Number A-50 and requires that for resolved recommendations, a corrective action work plan should be submitted within 30 days of the final evaluation report date describing specific tasks and completion dates necessary to implement audit\nrecommendations. Circular Number A-50 requires prompt resolution and corrective action on audit recommendations. Resolutions should be made within six months of final report issuance.\nIf you have any questions, please feel free to contact Mr. Willie Eggleston, Senior Auditor at extension 4372. We appreciate your assistance.\ncc: Pierette McIntire\nAssessment of Equal Employment Opportunity Commission\'s (EEOC) Compliance with Provisions of the Federal Information Security Management Act of 2002 Fiscal Year 2011\nFinal Report\nTABLE OF CONTENTS\nExecutive Summary\nBackground\nAudit Objective\nScope\nTesting Methodology\nFindings and Recommendations\nAppendix A: Status of Prior Year (FY2010) Findings\nExecutive Summary\nThe EEOC Office of Inspector General (OIG) contracted with Clifton Gunderson LLP (CG) to conduct an audit of EEOC\' compliance with the provisions of the Federal Information Security Management Act of 2002 for Fiscal Year (FY) 2011. (See page 3)\nThe Federal Information Security Management Act of 2002 (FISMA) requires agencies to develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that\nsupport the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. (See page 3)\nThe audit meets the FISMA requirement for an annual evaluation of EEOC\' information security program. (See page 4) The overall objective of this audit was to determine if EEOC\' information security program met the requirements of the Federal\nInformation Security Management Act of 2002. (See page 4) Specifically, we performed audit work associated with the FISMA Office of Management and Budget (OMB) annual reporting requirements for OIGs and completed a review of six EEOC information\nsystems: The EEOC Network, EEO-1 Survey System, Document Management System, Integrated Mission System, Integrated Financial Management System, and Federal Personnel and Payroll System. In addition, five Notice of Finding and Recommendations (NFRs)\nwere submitted to EEOC management to include findings from both the system reviews and component level review.\nThe audit concluded that EEOC met most, but not all, of the key requirements of FISMA. The Agency has made positive strides over the last year in addressing information security weaknesses and continues to make progress in becoming fully\ncompliant with FISMA. However, EEOC still faces challenges to refine its information security program. (See page 6)\nThese challenges involve:\nMaintaining documentation for network access requests/approvals. (See page 6)\nImplementing multi-factor authentication (See page 7)\nUpdating the agency-wide Business Impact Analysis (BIA) (See page 8)\nImplementing controls over the agency\'s vulnerability assessment process (see page 9).\nRemoving Virtual Private Network (VPN) access for separated employees timely. (See page 10)\nConsequently, EEOC\' operations and assets may be at risk of misuse and disruption. The report contains five recommendations to help EEOC improve its information security program and practices.\nThis report is intended solely for the information and use of the management of EEOC and OIG and is not intended to be and should not be used by anyone other than these specified parties.\nBackground\nOrganization\nThe U.S. Equal Employment Opportunity Commission (EEOC) is responsible for enforcing federal laws that make it illegal to discriminate against a job applicant or an employee because of the person\'s race, color, religion, sex (including\npregnancy), national origin, age (40 or older), disability or genetic information. It is also illegal to discriminate against a person because the person complained about discrimination, filed a charge of discrimination, or participated in an\nemployment discrimination investigation or lawsuit. The EEOC has the authority to investigate charges of discrimination against employers who are covered by the law.\nThe EEOC is composed of five Commissioners and a General Counsel appointed by the President and confirmed by the Senate. Commissioners are appointed for five-year staggered terms; the General Counsel\'s term is four years. The President designates\na Chair and a Vice Chair. The Chair is the Chief Executive Officer of the EEOC.\nThe EEOC has 53 field offices, and has its headquarters in Washington, D.C. Additional information about EEOC may be found at http://www.eeoc.gov.\nFederal Information Security Management Act\nThe Federal Information Security Management Act of 2002 (FISMA) was enacted into law as Title III of the E-Government Act (E-Gov) of 2002 (P.L. 107-347, December 17, 2002). Key requirements of FISMA include:\nThe establishment of an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another\nagency, contractor, or other source.\nAn annual independent evaluation of the agency\'s information security programs and practices; and\nAn assessment of compliance with the requirements of the Act.\nFISMA requires agency heads to ensure that (1) employees are sufficiently trained in their security responsibilities, (2) security incident response capability is established, and (3) information security management is integrated with the agency\nstrategic and operation planning processes. All agencies must also report annually to the Office of Management and Budget (OMB) and Congressional committees on the effectiveness of their information security program. In addition, FISMA has\nestablished that the standards and guidelines issued by the National Institute of Standards and Technology (NIST) are mandatory for Federal agencies.\nAudit Objective\nA key requirement of the Federal Information Security Management Act of 2002 is an annual independent evaluation of the Agency\'s information security program. As a result, Clifton Gunderson (CG) was contracted by EEOC Office of Inspector General\n(OIG) to review the Agency\'s information security program and practices as set forth by the Federal Information Security Management Act of 2002 for FY 2011. The work performed under this engagement involved a review of the effectiveness of the\nAgency\'s Office of Information Technology (OIT) oversight of the Agency\'s information security program and evaluation of six EEOC information systems: The EEOC Network, EEO-1 Survey System, Document Management System, Integrated Mission System,\nIntegrated Financial Management System, and Federal Personnel and Payroll System.\nIn addition, we were required to complete the FY 2011 OMB FISMA Reporting Template included as an annual reporting requirement for OIGs.\nScope\nCG performed the audit in support of the EEOC OIG\'s FISMA reporting requirements. The period covered by this audit ended September 30, 2011. We conducted the audit in accordance with generally accepted government auditing standards. Those\nstandards require that we plan and perform the audit to obtain sufficient appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit objective. We believe the evidence obtained provides a reasonable basis\nfor our findings and conclusions based on our audit objective.\nThe purpose of the audit was to determine if EEOC\' information security program met the requirements of FISMA. In assessing, EEOC\' adherence to FISMA, we conducted component level and system level testing to support FISMA compliance. In\nconducting our review of the Agency\'s Office of the CIO\'s oversight over EEOC\' information security program and practices, the following areas were reviewed:\nOrganizational responsibilities and authority\nInformation security policies and procedures\nSystem security plans\nRisk Assessments\nContinuity of operations plan\nSecurity incident reporting\nSecurity Awareness, Training, and Education\nCertification and accreditation process\nRemedial action process (plan of action and milestones)\nSystem Configuration Management\nAnnual information security program reporting\nIn regards to the system level testing, CG in conjunction with the EEOC OIG selected the EEOC Network, EEO-1 Survey System, Document Management System, Integrated Mission System, Integrated Financial Management System, and Federal Personnel and\nPayroll System to evaluate as part of the scope of work. The audit included the testing of selected management, technical, and operational controls of the information systems outlined in National Institute of Standards and Technology (NIST) Special\nPublication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems. The following NIST Special Publication 800-53 Controls were reviewed for the EEOC Network, EEO-1 Survey System, Document Management System,\nIntegrated Mission System, Integrated Financial Management System, and Federal Personnel and Payroll System.\nAccess Controls\nAudit and Accountability\nCertification, Accreditation and Security Assessments\nConfiguration Management\nContingency Planning\nIdentification and Authentication\nMaintenance\nSecurity Planning\nRisk Assessment\nSystem and Service Acquisition\nSystem and Communications Protection\nSystem and Information Integrity\nIn addition, we completed a follow-up review of prior year FISMA findings and recommendations to determine if EEOC had made progress on implementing the recommended improvements in its information security program.\nFive NFRs were submitted to EEOC management to include findings from both the system reviews and component level review.\nAt the time of the audit, EEOC operated the following information systems:\nEEOC Network (General Support System)\nMajor Applications\nEEO-1 Survey System\nDocument Management System (DMS)\nIntegrated Mission System (IMS) (owned by another Federal Agency)\nIntegrated Financial Management System Federal Personnel and Payroll System (owned by another Federal Agency)\nThis report is intended solely for the information and use of the management of EEOC and the EEOC OIG and is not intended to be and should not be used by anyone other than these specified parties.\nTesting Methodology\nTo determine if EEOC\' information security program met the requirements of FISMA, we conducted interviews with EEOC staff members and reviewed legal and regulatory requirements stipulated by FISMA. We also reviewed documentation related to EEOC\'\ninformation security program. These documents included, but were not limited to, EEOC\' security policies and procedures, plan of action and milestones, system security plans, risk assessments, certification and accreditation documentation,\ncontingency plans, and incident reporting procedures. In addition, we performed tests of system processes to determine the adequacy and effectiveness of those controls.\nWe also evaluated available data supporting EEOC annual FISMA report to OMB on its information system security program.\nFindings and Recommendations\nEEOC has achieved progress towards FISMA compliance over the last year. Specifically, EEOC has implemented the following FISMA requirements:\nThe Agency has established and is maintaining a certification and accreditation program including sufficiently detailed documented procedures.\nDeveloped policies which define auditable events and log retention requirements as part of EEOC\'s continuous monitoring program.\nAlthough, EEOC has made improvements in its information security program, the agency still faces challenges to refine its information security program. These challenges involve:\nMaintaining documentation for network access requests and approvals\nImplementing multi-factor authentication\nUpdating the agency-wide Business Impact Analysis (BIA)\nImplementing controls over the agency\'s vulnerability assessment process\nRemoving Virtual Private Network (VPN) access for separated employees timely.\nThese findings are further discussed below.\nAccess Control/Identification and Authentication\nNetwork access request forms were not adequately maintained. (NFR Reference # 2011 - 5)\nAccess request forms which document request and approval for network access could not be provided for seven out of thirty employees sampled.\nWithout an appropriate access request form, excessive access to agency information may be provided and sensitive information could be compromised.\nNational Institute of Standards and Technology Special Publication (NIST SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems control AC-2, states the following regarding account\nmanagement, "The organization manages information system accounts, including: Identifying account types (i.e., individual, group, system, application, guest/anonymous, and temporary); Establishing conditions for group membership;\nIdentifying authorized users of the information system and specifying access privileges; Requiring appropriate approvals for requests to establish accounts; Establishing, activating, modifying, disabling, and removing accounts; Specifically\nauthorizing and monitoring the use of guest/anonymous and temporary accounts; Notifying account managers when temporary accounts are no longer required and when information system users are terminated, transferred, or information system usage or\nneed-to know/ need-to-share changes; Deactivating: (i) temporary accounts that are no longer required; and (ii) accounts of terminated or transferred users; Granting access to the system based on: (i) a valid access authorization; (ii) intended\nsystem usage; and (iii) other attributes as required by the organization or associated missions/business functions; and Reviewing accounts.\nRecommendation:\nRecommendation No.1: We recommend that EEOC implement a centralized repository to maintain control of access request forms.\nManagement Response:\nEEOC concurs and will create a centralized repository to maintain control of access request forms.\nAuditor\'s Evaluation of Management\'s Response:\nEffective implementation of actions noted in management\'s response should resolve the reported condition and recommendation.\nEEOC did not fully implement multi-factor authentication (NFR Reference # 2011 - 1)\nThrough inquiry with management and review of the Data Net System Security Plan, EEOC has not fully implemented multi-factor authentication for remote access through Virtual Private Network (VPN), as well as for network and local accounts.\nAlthough an Acceptance of Risk was provided for new imaged laptops, legacy laptops use a common password as part of their two-factor authentication. Additionally, through inquiry with management, we were informed that full implementation of\nmulti-factor authentication has been delayed due to budget constraints.\nWithout a fully implemented multi-factor authentication process, this increases the risk of unauthorized access attempts.\nNational Institute of Standards and Technology Special Publication (NIST SP) 800-53 Revision 3, Recommended Security Controls for Federal Information Systems control IA-2, states the following regarding identification and\nauthentication, "The information system uniquely identifies and authenticates organizational users (or processes acting on behalf of organizational users). And applicable control enhancements: "(1) The information system uses\nmultifactor authentication for network access to privileged accounts. (2) The information system uses multifactor authentication for network access to non-privileged accounts. (3) The information system uses multifactor authentication for local\naccess to privileged accounts. (8) The information system uses [Assignment: organization-defined replay-resistant authentication mechanisms] for network access to privileged accounts."\nRecommendation:\nRecommendation No.2: We recommend that EEOC implement multifactor authentication for network access to non-privileged and privileged accounts.\nManagement Response:\nEEOC concurs that multi-factor authentication has not been fully implemented due to budget constraints. The EEOC Chief Information Officer has reviewed the in-place compensating controls and accepted the risk of delayed implementation of\nmulti-factor authentication, pending full distribution (80%) of HSPD-12 PIV2 Federal ID cards to agency staff. This acceptance of risk applies to access via both the new laptops as well as the older "COOP" laptops.\nAuditor\'s Evaluation of Management\'s Response:\nEffective implementation of actions noted in management\'s response should resolve the reported condition and recommendation.\nContingency Planning\nA Agency-wide Business Impact Analysis (BIA) had not been updated since 2002. (NFR Reference # 2011 - 2)\nThrough inquiry with the EEOC Chief Security Officer, the EEOC agency-wide Business Impact Analysis (BIA) has not been updated since 2002 to reflect the current system environment and to address the weaknesses identified during subsequent\ndisaster recovery tests.\nThe lack of an up-to-date Business Impact Analysis creates a deficiency in the contingency planning process. A deficiency in this process means that key impacts or threats could be overlooked leading to the ineffective or delayed recovery of\nagency systems.\nNational Institute of Standards and Technology (NIST) Special Publication 800-34, Revision 1, Contingency Planning Guide for Federal Information Systems states: "The BIA is a key step in implementing the CP controls in\nNIST SP 800-53 and in the contingency planning process overall. The BIA enables the ISCP Coordinator to characterize the system components, supported mission/business processes, and interdependencies. The BIA purpose is to correlate the system with\nthe critical mission/business processes and services provided, and based on that information, characterize the consequences of a disruption. The ISCP Coordinator can use the BIA results to determine contingency planning requirements and priorities.\nResults from the BIA should be appropriately incorporated into the analysis and strategy development efforts for the organization\'s COOP, BCPs, and DRP."\nRecommendation:\nRecommendation No. 3: We recommend that EEOC management reevaluate and update the agency Business Impact Analysis to ensure it accurately represents the current EEOC environment and addresses the deficiencies noted in the disaster recovery\ntests.\nManagement Response:\nEEOC concurs that the BIA is out-of-date and had prior plans to update this document during the first quarter of 2012. EEOC notes, however, that primary information in the BIA has been maintained and updated in the EEOC IT Contingency Plan.\nAuditor\'s Evaluation of Management\'s Response: Effective implementation of actions noted in management\'s response should resolve the reported condition and recommendation.\nConfiguration Management\nNetwork vulnerability assessment control weaknesses. (NFR Reference # 2011 - 3)\nThrough inquiry with management and performance of an external network vulnerability assessment, we noted the following control weaknesses:\nEEOC Management did not apply version releases promptly (1 critical and 5 high vulnerabilities were found) to critical network devices.\nCredentialed network vulnerability scanning is not being performed.\nNot updating servers promptly could expose EEOC to known security vulnerabilities that expose the systems to potential unauthorized access, data loss, data manipulation, and system unavailability.\nEEOC Office of Information Technology Patch Management and System Maintenance Procedures, Version 1.3, dated June 2, 2009, states: "Standard patching for Windows and Novell servers will be performed during regular\nmonthly maintenance weekends (as required). Standard patching for the Oracle and Unix environments will occur quarterly, during the scheduled maintenance weekend. Patching/upgrade of the desktop environment will also occur quarterly (Feb, May, Aug,\nNov), through network distribution. Patching of routers and switches will be conducted on an "as necessary" basis, with the timing dependant on the criticality of the patch."\nNational Institute of Standards and Technology (NIST) Special Publication 800-53, Revision 3 Recommended Security Controls for Federal Information Systems and Organizations states "SI-2 - The organization identifies\ninformation systems containing software affected by recently announced software flaws (and potential vulnerabilities resulting from those flaws). The organization (or the software developer/vendor in the case of software developed and maintained by\na vendor/contractor) promptly installs newly released security relevant patches, service packs, and hot fixes, and tests patches, service packs, and hot fixes for effectiveness and potential side effects on the organization\'s information systems\nbefore installation.\nRecommendation:\nRecommendation No. 4: We recommend that EEOC management:\nApply software security patch releases on a timely basis to protect against known vulnerabilities.\nFollow Federal guidance in applying Critical Patch Updates on the required timelines to ensure the systems are not left susceptible to known vulnerabilities.\nPerform credential scans.\nManagement Response:\nFor recommendation items 1&2, EEOC concurs that security patch releases and critical patch updates should be implemented in a timely fashion. EEOC notes, however, that this finding is based on scan results for Apache software, which although was\nnot at the most current version, was up-to-date with all patches (as demonstrated in screen shots and provided to the auditor). EEOC will upgrade to the recommended version by the end of October.\nFor recommendation item #3, EEOC will assess credential-based agent-less scans (via Nessus) against agent-based scans (via Zenworks 11), as the agent-based alternative appears to have additional benefits, such as elimination of the need by system\nadministrators to maintain credentials on the scanning tools. EEOC will select the preferred approach and identify configuration requirements in 1Q 2012. Credentialed scans or agent-based equivalents will be initiated during 2Q 2012.\nAuditor\'s Evaluation of Management\'s Response:\nEffective implementation of actions noted in management\'s response should resolve the reported condition and recommendation.\nAccount and Identity Management\nExcessive Virtual Private Network (VPN) Accounts (NFR Reference # 2011 - 4)\nThrough testing of active VPN accounts, we found 1 separated contractor and 8 separated employees on the list of active VPN accounts.\nBy having enabled VPN accounts accessible to separated users, EEOC faces increased exposure to the risk of unauthorized access attempts.\nEEOC OIT Account Management Procedure (version 2.0) Dated 07/11/2011 states: "Appendix D - Separation Activities Schedule and POCs: It is the responsibility of the VPN admin under the offices of OIT and TND, for both headquarters\nand field offices, that they\nDisable and delete account as of COB date of separation or upon receipt of notification e-mail (if notice is post-separation).\nSend confirmation e-mail to DSSD telework administrator.\nUpdate list of VPN users on S:\\CLEARANCE\nNational Institute of Standards and Technology, Special Publication 800-53 Revision 3, Access Control, AC-2 "Account Management" states: "The organization manages information system accounts, including: Deactivating: (i)\ntemporary accounts that are no longer required; and (ii) accounts of terminated or transferred users.\nRecommendation:\nRecommendation No. 5: We recommend that EEOC management remove VPN accounts of separated employees/contractors and adhering to agency policy. A recertification of accounts should be performed to ensure only active employees have active accounts.\nManagement Response:\nEEOC concurs and will institute quality assurance measures to ensure that current policy for timely removal of VPN accounts and annual recertification are being followed.\nAuditor\'s Evaluation of Management\'s Response:\nEffective implementation of actions noted in management\'s response should resolve the reported condition and recommendation.\nAppendix A: Status of Prior Year (FY2010) Findings\nItem #\nFinding\nDescription\nControl Family\nCurrent Year Status\nComments\n1\nCertification and accreditation procedures are not fully developed or consistently implemented.\nDuring interviews it was determined that NIST 800 series documents are followed as guidance for C&A but there is no detailed documentation of EEOC procedures for completing a C&A. SSPs reviewed do not show identification of common\ncontrols or usage of common controls within the organization. SSP reviews show that "organization defined" portions of NIST controls are not documented.\nCertification and accreditation\nClosed\nCertification and accreditation policy and procedures were established.\n2\nInformation systems are not properly categorized (FIPS 199/SP 800-60).\nWe did not find any approval signatures on the FIPS categorization document as required by the CIO/CSO;\nCertification and accreditation\nClosed\nCIO/CSO reviewed and signed categorization documents for each system.\n3\nMinimum baseline security controls are not adequately applied to information systems (FIPS 200/SP 800-53).\nFISMA/NIST requires implementation of the NIST 800-53 Rev 3 controls within one year of the release of the document. EEOC systems are not currently using the Rev3 controls and do not have a documented plan to transition to NIST 800-Rev 3.\nRevision 3 was released August 2009.\nCertification and accreditation\nClosed\nSecurity Plans are in compliance with NIST 800-53, Revision 3.\n4\nOther -\nThe Data Net SSP references the Momentum and IFMS as two separate major applications. It was clarified during interviews that the name refers to the same system. Data Net as a GSS on which multiple information systems reside does not delineate\nthe common controls it provides to the multiple major and minor systems that reside on it. Additionally, the GSS SSP does not list the minor systems that are used by the agency or those that depend on the GSS.\nCertification and accreditation\nClosed.\nReferences were fixed and common controls and minor systems are now listed.\n5\nSoftware scanning capabilities are not fully implemented (NIST 800-53: RA-5, SI-2).\nAlthough software scanning is taking place, currently the scanning capability is limited - scan reports were extremely hard to decipher; authenticated scans are not being conducted; complete vulnerability scans of all devices on the network are\nnot conducted, only representative samples are scanned. Based on review of policy and interviews it was not clear how often scans are conducted. The responses varied between 1 - 6 scans conducted within a year.\nConfiguration Management\nOpen\nCredentialed scans are still not being performed. Some version upgrade issues were noted. NFR # 2011 - 03\n6\nRemote access procedures are not fully developed or consistently implemented.\nRemote access (CISCO configuration screen capture provided) password is not required to be sufficiently complex: password length of 5 characters is permitted and "only character" password is acceptable. The lack of password complexity and length\nis against best practices, NIST guidance and EEOC policy and procedures.\nRemote Access Management\nClosed\nPassword length was revised from 5 characters to a 8 character minimum.\n7\nMulti-factor authentication is not properly deployed (NIST 800-46, Section 2.2, Section 3.3).\nMulti-factor authentication is planned and currently not in place. EEOC has not yet implemented two-factor authentication for remote VPN access to the network because it is waiting to implement the Homeland Security Presidential Directive (HSPD)\n- 12 compliant smart card badge system. This issue has been on the EEOC POA&M for multiple years.\nRemote Access Management\nOpen\nMulti-factor authentication was not fully implemented. (See NFR # 2011 - 01)\n8\nAccount management procedures are not fully developed or consistently implemented.\nAlthough account management procedures exist they are not consistently implemented. See g below. 8g identifies the accounts reviewed. We believe that the finding applies to both Cyberscope categories\nAccount and identity management\nOpen\nSome sampled access request forms were not provided. (See NFR # 2011 - 05)\n9\nAccounts are not properly terminated when users no longer require access (NIST 800-53, AC-2).\nSeveral UIDs on the list of enabled VPN accounts corresponded to users who had been separated from the organization for several months. The HP UNIX server reviewed with the UNIX system administrator showed the "hptech" account was not being used\nbut was enabled with admin privileges. Additionally the list of active users on the UNIX server did not match the list of IMS users with elevated privileges provided.\nAccount and identity management\nOpen\nVPN Access for some sampled separated employees were not disabled. (See NFR # 2011 - 04)\n10\nAgency does not use multi-factor authentication where required (NIST 800-53, IA-2).\nMulti-factor authentication is planned and currently not in place.\nAccount and identity management\nOpen\nMulti-factor authentication was not fully implemented. (See NFR # 2011 - 01)\n11\nAgency does not use dual accounts for administrators (NIST 800-53, AC-5, AC-6).\nPer interview with the Windows server system administrator, it was determined that dual accounts for Windows administrators are not used.\nAccount and identity management\nClosed\nIt was determined that shared accounts were not used in an active directory environment, thus the arrangement of shared accounts is accepted.\n12\nOther -\nMicrosoft server administrators share admin accounts.\nAccount and identity management\nClosed\nIt was determined that shared accounts were not used in an active directory environment, thus the arrangement of shared accounts is accepted.\n13\nContinuous monitoring policy is not fully developed.\nA Continuous Monitoring program is currently under development. Policies are missing, including those defining auditable events and log retention requirements.\nContinuous Monitoring\nClosed\nAudit policies were established.\n14\nContinuous monitoring procedures are not fully developed or consistently implemented.\nA Continuous Monitoring program is currently under development. The agency does not define procedures for logging events, reviewing logs and log management.\nContinuous Monitoring\nClosed\nEEOC has defined procedures in policies and security plans.\n15\nStrategy or plan has not been fully developed for entity-wide continuous monitoring (NIST 800-37).\nA Continuous Monitoring program is currently under development\nContinuous Monitoring\nClosed\nEEOC has established a Continuous Monitoring Policy as well as Audit Policies.\nPrivacy Policy | Disclaimer | USA.Gov'